Avoiding script kiddies

Written by Avoiding script kiddies

Now that my new server is nearing completion on installment rails 2.3.3, ruby 1.9.1 and various gems for my dyndns and cms systems. Need to protect it from script kiddies ;)

I saw someone was already probing my server yesterday by seeing this in the apache logs : w00tw00t.at.ISC.SANS.DFind. And this just days after I got the server operational :). Meaning some kiddy tried to run dfind on my server to check for exploits. So I installed some software to check if he didn't succeed and also I will try dfind myself on my own server regularly to see if it is still secured.

Chkrootkit Software:



Chkrootkit - chkrootkit is a tool to locally check for signs of a rootkit. Type the following command to install chkrootkit

sudo apt-get install chkrootkit

Start looking for rootkits, enter:
sudo chkrootkit

Look for suspicious strings, enter:
sudo chkrootkit -x | less

You need to specify the path for the external commands used by chkrootkit such as awk, grep and others. Mount /mnt/safe using nfs in read-only mode and set /mnt/safe binaries PATH as trusted one, enter:
sudo chkrootkit -p /mnt/safe

rkhunter software



rkhunter - rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications. Type the following command to install rkhunter:
$ sudo apt-get install rkhunter
The following command option tells rkhunter to perform various checks on the local system:
sudo rkhunter --check

The following command option causes rkhunter to check if there is a later version of any of its text data files:
sudo rkhunter --update

The following option tells rkhunter which directories to look in to find the various commands it requires:
sudo rkhunter --check --bindir /mnt/safe

That's all for now hopefully it will keep my server safe for a while ;)

Back to archive